Reporting and Continuous Monitoring a. Following the initial ATOs, the Contractor (and/or any subcontractor) must perform the minimum ongoing continuous monitoring activities specified below, submit required deliverables by the specified due dates, and meet with the system/service owner and other relevant stakeholders to discuss the ongoing continuous monitoring activities, findings, and other relevant matters. The CSP will work with the agency to schedule ongoing continuous monitoring activities. Monitoring activities will include monthly reports/invoices and ad hoc meetings to discuss progress.
Reporting and Continuous Monitoring. Maintenance of the security Authorization to Operate will be through continuous monitoring and periodic audit of the operational controls within a Quoter’s system, environment, and processes to determine if the security controls are meeting government regulatory and compliance requirements. Through continuous monitoring, security controls and supporting deliverables will be maintained and submitted to an ordering activity in accordance with customer IT security standards, policies, and reporting requirements. NIST published SP800-86 Guide to Integrating Forensic Techniques into Incident Response. SP800-86 defines in a much more precise and specific way the procedures, issues and technologies required to move an incident from the point of discovery all the way through to resolution.
Reporting and Continuous Monitoring. Maintenance of the security authorization to operate will be through continuous monitoring of security controls of the contractors system and its environment of operation to determine if the security controls in the information system continue to be effective over time in light of changes that occur in the system and environment. Through continuous monitoring, security controls and supporting deliverables are updated and submitted to GSA per the schedules below. The submitted deliverables (or lack thereof) provide a current understanding of the security state and risk posture of the information systems. They allow GSA authorizing officials to make credible risk-based decisions regarding the continued operations of the information systems and initiate appropriate responses as needed when changes occur. Deliverables to be provided to the GSA COR/ISSO/ISSM Quarterly 1. Plan of Action & Milestones (POA&M) Update Reference: NIST 800-53 control CA-5 The Contractor shall provide POA&M updates in accordance with requirements and the schedule set forth in GSA CIO IT Security Procedural Guide 09-44, “Plan of Action and Milestones.” An initial copy of the POA&M shall be submitted to the GSA CO and COR via email sixty (60) calendar days after award and then due on the 15th of the month following the end of each quarter (January, April, July, October).
Reporting and Continuous Monitoring. Maintenance of the Authority-To-Operate (ATO) will be through continuous monitoring of security controls and the operating environment to determine if the security controls continue to be effective over time in light of changes that occur in the system and environment. JVP will ensure that system security documentation and continuous monitoring reports are kept up-to-date and made available for NTIS to review within three (3) business days of request. This will allow the Authorizing Officials to make credible risk-based decisions regarding the continued operations of the information systems and initiate appropriate responses as needed when changes occur. System security documentation and reporting requirements will conform to current year FISMA/FedRAMP reporting instructions as specified by OMB memoranda, current year FISMA/FedRAMP documentation templates, and current year, non-draft revisions of the National Institute of Standards and Technology’s 800 series publications pertaining to security and privacy controls for Federal Information Systems.
